rpms / bind9.16

Clone
Source Code
GIT

Blame SOURCES/bind-9.16-CVE-2021-25220-test.patch

c8 c8-beta c8s
  1.   ec6a9e98a4c977959df70a6cd7bf46365f5d3e5f
  2.   SOURCES
  3.   bind-9.16-CVE-2021-25220-test.patch
Blob History Raw
ec6a9e 
From bd8fdeb2d1ece6db6dfe9fdc024f3a81440c1c0c Mon Sep 17 00:00:00 2001
ec6a9e 
From: Mark Andrews <marka@isc.org>
ec6a9e 
Date: Tue, 18 Jan 2022 00:19:47 +1100
ec6a9e 
Subject: [PATCH] Add tests for forwarder cache poisoning scenarios
ec6a9e
ec6a9e 
- Check that an NS in an authority section returned from a forwarder
ec6a9e 
  which is above the name in a configured "forward first" or "forward
ec6a9e 
  only" zone (i.e., net/NS in a response from a forwarder configured for
ec6a9e 
  local.net) is not cached.
ec6a9e 
- Test that a DNAME for a parent domain will not be cached when sent
ec6a9e 
  in a response from a forwarder configured to answer for a child.
ec6a9e 
- Check that glue is rejected if its name falls below that of zone
ec6a9e 
  configured locally.
ec6a9e 
- Check that an extra out-of-bailiwick data in the answer section is
ec6a9e 
  not cached (this was already working correctly, but was not explicitly
ec6a9e 
  tested before).
ec6a9e
ec6a9e 
(cherry picked from commit bf3fffff67e1de78e9387a93674d471bf4291604)
ec6a9e 
(cherry picked from commit 59d1eb3ff810145c8098a0a4fbf93ef4380ad739)
ec6a9e 
---
ec6a9e 
 bin/tests/system/forward/ans11/ans.py         | 136 ++++++++++++++++++
ec6a9e 
 bin/tests/system/forward/clean.sh             |   2 +
ec6a9e 
 bin/tests/system/forward/ns1/diditwork.net.db |  22 +++
ec6a9e 
 bin/tests/system/forward/ns1/named.conf.in    |  20 +++
ec6a9e 
 bin/tests/system/forward/ns1/net.example.lll  |  15 ++
ec6a9e 
 bin/tests/system/forward/ns1/spoofed.net.db   |  22 +++
ec6a9e 
 bin/tests/system/forward/ns1/sub.local.net.db |  22 +++
ec6a9e 
 bin/tests/system/forward/ns10/fakenet.zone    |  17 +++
ec6a9e 
 bin/tests/system/forward/ns10/fakenet2.zone   |  15 ++
ec6a9e 
 .../system/forward/ns10/fakesublocalnet.zone  |  15 ++
ec6a9e 
 .../system/forward/ns10/fakesublocaltld.zone  |  15 ++
ec6a9e 
 bin/tests/system/forward/ns10/named.conf.in   |  53 +++++++
ec6a9e 
 bin/tests/system/forward/ns10/net.example.lll |  15 ++
ec6a9e 
 bin/tests/system/forward/ns10/spoofednet.zone |  16 +++
ec6a9e 
 bin/tests/system/forward/ns2/tld.db           |   6 +
ec6a9e 
 bin/tests/system/forward/ns4/named.conf.in    |   5 +
ec6a9e 
 bin/tests/system/forward/ns4/sibling.tld.db   |  22 +++
ec6a9e 
 bin/tests/system/forward/ns8/named.conf.in    |   5 +
ec6a9e 
 bin/tests/system/forward/ns8/sub.local.tld.db |  15 ++
ec6a9e 
 bin/tests/system/forward/ns9/local.net.db     |  16 +++
ec6a9e 
 bin/tests/system/forward/ns9/local.tld.db     |  15 ++
ec6a9e 
 bin/tests/system/forward/ns9/named1.conf.in   |  67 +++++++++
ec6a9e 
 bin/tests/system/forward/ns9/named2.conf.in   |  70 +++++++++
ec6a9e 
 bin/tests/system/forward/ns9/named3.conf.in   |  50 +++++++
ec6a9e 
 bin/tests/system/forward/ns9/named4.conf.in   |  47 ++++++
ec6a9e 
 bin/tests/system/forward/ns9/root.db          |  13 ++
ec6a9e 
 bin/tests/system/forward/setup.sh             |   2 +
ec6a9e 
 bin/tests/system/forward/tests.sh             | 122 ++++++++++++++++
ec6a9e 
 bin/tests/system/ifconfig.sh                  |   8 +-
ec6a9e 
 29 files changed, 844 insertions(+), 4 deletions(-)
ec6a9e 
 create mode 100644 bin/tests/system/forward/ans11/ans.py
ec6a9e 
 create mode 100644 bin/tests/system/forward/ns1/diditwork.net.db
ec6a9e 
 create mode 100644 bin/tests/system/forward/ns1/net.example.lll
ec6a9e 
 create mode 100644 bin/tests/system/forward/ns1/spoofed.net.db
ec6a9e 
 create mode 100644 bin/tests/system/forward/ns1/sub.local.net.db
ec6a9e 
 create mode 100644 bin/tests/system/forward/ns10/fakenet.zone
ec6a9e 
 create mode 100644 bin/tests/system/forward/ns10/fakenet2.zone
ec6a9e 
 create mode 100644 bin/tests/system/forward/ns10/fakesublocalnet.zone
ec6a9e 
 create mode 100644 bin/tests/system/forward/ns10/fakesublocaltld.zone
ec6a9e 
 create mode 100644 bin/tests/system/forward/ns10/named.conf.in
ec6a9e 
 create mode 100644 bin/tests/system/forward/ns10/net.example.lll
ec6a9e 
 create mode 100644 bin/tests/system/forward/ns10/spoofednet.zone
ec6a9e 
 create mode 100644 bin/tests/system/forward/ns4/sibling.tld.db
ec6a9e 
 create mode 100644 bin/tests/system/forward/ns8/sub.local.tld.db
ec6a9e 
 create mode 100644 bin/tests/system/forward/ns9/local.net.db
ec6a9e 
 create mode 100644 bin/tests/system/forward/ns9/local.tld.db
ec6a9e 
 create mode 100644 bin/tests/system/forward/ns9/named1.conf.in
ec6a9e 
 create mode 100644 bin/tests/system/forward/ns9/named2.conf.in
ec6a9e 
 create mode 100644 bin/tests/system/forward/ns9/named3.conf.in
ec6a9e 
 create mode 100644 bin/tests/system/forward/ns9/named4.conf.in
ec6a9e 
 create mode 100644 bin/tests/system/forward/ns9/root.db
ec6a9e
ec6a9e 
diff --git a/bin/tests/system/forward/ans11/ans.py b/bin/tests/system/forward/ans11/ans.py
ec6a9e 
new file mode 100644
ec6a9e 
index 0000000000..1d35b3d3f1
ec6a9e 
--- /dev/null
ec6a9e 
+++ b/bin/tests/system/forward/ans11/ans.py
ec6a9e 
@@ -0,0 +1,136 @@
ec6a9e 
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
ec6a9e 
+#
ec6a9e 
+# SPDX-License-Identifier: MPL-2.0
ec6a9e 
+#
ec6a9e 
+# This Source Code Form is subject to the terms of the Mozilla Public
ec6a9e 
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
ec6a9e 
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
ec6a9e 
+#
ec6a9e 
+# See the COPYRIGHT file distributed with this work for additional
ec6a9e 
+# information regarding copyright ownership.
ec6a9e 
+
ec6a9e 
+from __future__ import print_function
ec6a9e 
+import os
ec6a9e 
+import sys
ec6a9e 
+import signal
ec6a9e 
+import socket
ec6a9e 
+import select
ec6a9e 
+from datetime import datetime, timedelta
ec6a9e 
+import time
ec6a9e 
+import functools
ec6a9e 
+
ec6a9e 
+import dns, dns.message, dns.query, dns.flags
ec6a9e 
+from dns.rdatatype import *
ec6a9e 
+from dns.rdataclass import *
ec6a9e 
+from dns.rcode import *
ec6a9e 
+from dns.name import *
ec6a9e 
+
ec6a9e 
+# Log query to file
ec6a9e 
+def logquery(type, qname):
ec6a9e 
+    with open("qlog", "a") as f:
ec6a9e 
+        f.write("%s %s\n", type, qname)
ec6a9e 
+
ec6a9e 
+############################################################################
ec6a9e 
+# Respond to a DNS query.
ec6a9e 
+############################################################################
ec6a9e 
+def create_response(msg):
ec6a9e 
+    m = dns.message.from_wire(msg)
ec6a9e 
+    qname = m.question[0].name.to_text()
ec6a9e 
+    rrtype = m.question[0].rdtype
ec6a9e 
+    typename = dns.rdatatype.to_text(rrtype)
ec6a9e 
+
ec6a9e 
+    with open("query.log", "a") as f:
ec6a9e 
+        f.write("%s %s\n" % (typename, qname))
ec6a9e 
+        print("%s %s" % (typename, qname), end=" ")
ec6a9e 
+
ec6a9e 
+    r = dns.message.make_response(m)
ec6a9e 
+    r.set_rcode(NOERROR)
ec6a9e 
+    if rrtype == A:
ec6a9e 
+        tld=qname.split('.')[-2] + '.'
ec6a9e 
+        ns="local." + tld
ec6a9e 
+        r.answer.append(dns.rrset.from_text(qname, 300, IN, A, "10.53.0.11"))
ec6a9e 
+        r.answer.append(dns.rrset.from_text(tld, 300, IN, NS, "local." + tld))
ec6a9e 
+        r.additional.append(dns.rrset.from_text(ns, 300, IN, A, "10.53.0.11"))
ec6a9e 
+    elif rrtype == NS:
ec6a9e 
+        r.answer.append(dns.rrset.from_text(qname, 300, IN, NS, "."))
ec6a9e 
+    elif rrtype == SOA:
ec6a9e 
+        r.answer.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0"))
ec6a9e 
+    else:
ec6a9e 
+        r.authority.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0"))
ec6a9e 
+    r.flags |= dns.flags.AA
ec6a9e 
+    return r
ec6a9e 
+
ec6a9e 
+def sigterm(signum, frame):
ec6a9e 
+    print ("Shutting down now...")
ec6a9e 
+    os.remove('ans.pid')
ec6a9e 
+    running = False
ec6a9e 
+    sys.exit(0)
ec6a9e 
+
ec6a9e 
+############################################################################
ec6a9e 
+# Main
ec6a9e 
+#
ec6a9e 
+# Set up responder and control channel, open the pid file, and start
ec6a9e 
+# the main loop, listening for queries on the query channel or commands
ec6a9e 
+# on the control channel and acting on them.
ec6a9e 
+############################################################################
ec6a9e 
+ip4 = "10.53.0.11"
ec6a9e 
+ip6 = "fd92:7065:b8e:ffff::11"
ec6a9e 
+
ec6a9e 
+try: port=int(os.environ['PORT'])
ec6a9e 
+except: port=5300
ec6a9e 
+
ec6a9e 
+query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
ec6a9e 
+query4_socket.bind((ip4, port))
ec6a9e 
+havev6 = True
ec6a9e 
+try:
ec6a9e 
+    query6_socket = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
ec6a9e 
+    try:
ec6a9e 
+        query6_socket.bind((ip6, port))
ec6a9e 
+    except:
ec6a9e 
+        query6_socket.close()
ec6a9e 
+        havev6 = False
ec6a9e 
+except:
ec6a9e 
+    havev6 = False
ec6a9e 
+signal.signal(signal.SIGTERM, sigterm)
ec6a9e 
+
ec6a9e 
+f = open('ans.pid', 'w')
ec6a9e 
+pid = os.getpid()
ec6a9e 
+print (pid, file=f)
ec6a9e 
+f.close()
ec6a9e 
+
ec6a9e 
+running = True
ec6a9e 
+
ec6a9e 
+print ("Listening on %s port %d" % (ip4, port))
ec6a9e 
+if havev6:
ec6a9e 
+    print ("Listening on %s port %d" % (ip6, port))
ec6a9e 
+print ("Ctrl-c to quit")
ec6a9e 
+
ec6a9e 
+if havev6:
ec6a9e 
+    input = [query4_socket, query6_socket]
ec6a9e 
+else:
ec6a9e 
+    input = [query4_socket]
ec6a9e 
+
ec6a9e 
+while running:
ec6a9e 
+    try:
ec6a9e 
+        inputready, outputready, exceptready = select.select(input, [], [])
ec6a9e 
+    except select.error as e:
ec6a9e 
+        break
ec6a9e 
+    except socket.error as e:
ec6a9e 
+        break
ec6a9e 
+    except KeyboardInterrupt:
ec6a9e 
+        break
ec6a9e 
+
ec6a9e 
+    for s in inputready:
ec6a9e 
+        if s == query4_socket or s == query6_socket:
ec6a9e 
+            print ("Query received on %s" %
ec6a9e 
+                    (ip4 if s == query4_socket else ip6), end=" ")
ec6a9e 
+            # Handle incoming queries
ec6a9e 
+            msg = s.recvfrom(65535)
ec6a9e 
+            rsp = create_response(msg[0])
ec6a9e 
+            if rsp:
ec6a9e 
+                print(dns.rcode.to_text(rsp.rcode()))
ec6a9e 
+                s.sendto(rsp.to_wire(), msg[1])
ec6a9e 
+            else:
ec6a9e 
+                print("NO RESPONSE")
ec6a9e 
+    if not running:
ec6a9e 
+        break
ec6a9e 
diff --git a/bin/tests/system/forward/clean.sh b/bin/tests/system/forward/clean.sh
ec6a9e 
index bc04eadb2c..b65b092680 100644
ec6a9e 
--- a/bin/tests/system/forward/clean.sh
ec6a9e 
+++ b/bin/tests/system/forward/clean.sh
ec6a9e 
@@ -10,10 +10,12 @@
ec6a9e 
 #
ec6a9e 
 # Clean up after forward tests.
ec6a9e 
 #
ec6a9e 
+rm -f ./ans11/query.log
ec6a9e 
 rm -f ./dig.out.*
ec6a9e 
 rm -f ./*/named.conf
ec6a9e 
 rm -f ./*/named.memstats
ec6a9e 
 rm -f ./*/named.run ./*/named.run.prev
ec6a9e 
+rm -f ./*/named_dump.db
ec6a9e 
 rm -f ./ns*/named.lock
ec6a9e 
 rm -f ./ns*/managed-keys.bind*
ec6a9e 
 rm -f ./ns1/root.db ./ns1/root.db.signed
ec6a9e 
diff --git a/bin/tests/system/forward/ns1/diditwork.net.db b/bin/tests/system/forward/ns1/diditwork.net.db
ec6a9e 
new file mode 100644
ec6a9e 
index 0000000000..fd9a46eb0c
ec6a9e 
--- /dev/null
ec6a9e 
+++ b/bin/tests/system/forward/ns1/diditwork.net.db
ec6a9e 
@@ -0,0 +1,22 @@
ec6a9e 
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
ec6a9e 
+;
ec6a9e 
+; SPDX-License-Identifier: MPL-2.0
ec6a9e 
+;
ec6a9e 
+; This Source Code Form is subject to the terms of the Mozilla Public
ec6a9e 
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
ec6a9e 
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
ec6a9e 
+;
ec6a9e 
+; See the COPYRIGHT file distributed with this work for additional
ec6a9e 
+; information regarding copyright ownership.
ec6a9e 
+
ec6a9e 
+$TTL 300	; 5 minutes
ec6a9e 
+@			IN SOA	ns root (
ec6a9e 
+				2000082401 ; serial
ec6a9e 
+				1800       ; refresh (30 minutes)
ec6a9e 
+				1800       ; retry (30 minutes)
ec6a9e 
+				1814400    ; expire (3 weeks)
ec6a9e 
+				3600       ; minimum (1 hour)
ec6a9e 
+				)
ec6a9e 
+			NS	ns
ec6a9e 
+			TXT	"recursed"
ec6a9e 
+ns			A	10.53.0.1
ec6a9e 
diff --git a/bin/tests/system/forward/ns1/named.conf.in b/bin/tests/system/forward/ns1/named.conf.in
ec6a9e 
index 4aef4e55e5..c5fb2eb172 100644
ec6a9e 
--- a/bin/tests/system/forward/ns1/named.conf.in
ec6a9e 
+++ b/bin/tests/system/forward/ns1/named.conf.in
ec6a9e 
@@ -63,3 +63,23 @@ zone "sld.tld" {
ec6a9e 
 zone "example6" {
ec6a9e 
 	type forward;
ec6a9e 
 };
ec6a9e 
+
ec6a9e 
+zone "diditwork.net" {
ec6a9e 
+	type primary;
ec6a9e 
+	file "diditwork.net.db";
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+zone "spoofed.net" {
ec6a9e 
+	type primary;
ec6a9e 
+	file "spoofed.net.db";
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+zone "sub.local.net" {
ec6a9e 
+	type primary;
ec6a9e 
+	file "sub.local.net.db";
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+zone "net.example.lll" {
ec6a9e 
+	type master;
ec6a9e 
+	file "net.example.lll";
ec6a9e 
+};
ec6a9e 
diff --git a/bin/tests/system/forward/ns1/net.example.lll b/bin/tests/system/forward/ns1/net.example.lll
ec6a9e 
new file mode 100644
ec6a9e 
index 0000000000..ba0804fd75
ec6a9e 
--- /dev/null
ec6a9e 
+++ b/bin/tests/system/forward/ns1/net.example.lll
ec6a9e 
@@ -0,0 +1,15 @@
ec6a9e 
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
ec6a9e 
+;
ec6a9e 
+; SPDX-License-Identifier: MPL-2.0
ec6a9e 
+;
ec6a9e 
+; This Source Code Form is subject to the terms of the Mozilla Public
ec6a9e 
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
ec6a9e 
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
ec6a9e 
+;
ec6a9e 
+; See the COPYRIGHT file distributed with this work for additional
ec6a9e 
+; information regarding copyright ownership.
ec6a9e 
+
ec6a9e 
+$TTL 86400
ec6a9e 
+net.example.lll.		SOA	. . 0 0 0 0 0
ec6a9e 
+net.example.lll.		NS	attackSecureDomain.net.
ec6a9e 
+didItWork.net.example.lll.	TXT	"if you can see this record the attack worked"
ec6a9e 
diff --git a/bin/tests/system/forward/ns1/spoofed.net.db b/bin/tests/system/forward/ns1/spoofed.net.db
ec6a9e 
new file mode 100644
ec6a9e 
index 0000000000..eedc46f5c0
ec6a9e 
--- /dev/null
ec6a9e 
+++ b/bin/tests/system/forward/ns1/spoofed.net.db
ec6a9e 
@@ -0,0 +1,22 @@
ec6a9e 
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
ec6a9e 
+;
ec6a9e 
+; SPDX-License-Identifier: MPL-2.0
ec6a9e 
+;
ec6a9e 
+; This Source Code Form is subject to the terms of the Mozilla Public
ec6a9e 
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
ec6a9e 
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
ec6a9e 
+;
ec6a9e 
+; See the COPYRIGHT file distributed with this work for additional
ec6a9e 
+; information regarding copyright ownership.
ec6a9e 
+
ec6a9e 
+$TTL 300	; 5 minutes
ec6a9e 
+@			IN SOA	ns root (
ec6a9e 
+				2000082401 ; serial
ec6a9e 
+				1800       ; refresh (30 minutes)
ec6a9e 
+				1800       ; retry (30 minutes)
ec6a9e 
+				1814400    ; expire (3 weeks)
ec6a9e 
+				3600       ; minimum (1 hour)
ec6a9e 
+				)
ec6a9e 
+			NS	ns
ec6a9e 
+ns			A	10.53.0.1
ec6a9e 
+sub			TXT	"recursed"
ec6a9e 
diff --git a/bin/tests/system/forward/ns1/sub.local.net.db b/bin/tests/system/forward/ns1/sub.local.net.db
ec6a9e 
new file mode 100644
ec6a9e 
index 0000000000..fd9a46eb0c
ec6a9e 
--- /dev/null
ec6a9e 
+++ b/bin/tests/system/forward/ns1/sub.local.net.db
ec6a9e 
@@ -0,0 +1,22 @@
ec6a9e 
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
ec6a9e 
+;
ec6a9e 
+; SPDX-License-Identifier: MPL-2.0
ec6a9e 
+;
ec6a9e 
+; This Source Code Form is subject to the terms of the Mozilla Public
ec6a9e 
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
ec6a9e 
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
ec6a9e 
+;
ec6a9e 
+; See the COPYRIGHT file distributed with this work for additional
ec6a9e 
+; information regarding copyright ownership.
ec6a9e 
+
ec6a9e 
+$TTL 300	; 5 minutes
ec6a9e 
+@			IN SOA	ns root (
ec6a9e 
+				2000082401 ; serial
ec6a9e 
+				1800       ; refresh (30 minutes)
ec6a9e 
+				1800       ; retry (30 minutes)
ec6a9e 
+				1814400    ; expire (3 weeks)
ec6a9e 
+				3600       ; minimum (1 hour)
ec6a9e 
+				)
ec6a9e 
+			NS	ns
ec6a9e 
+			TXT	"recursed"
ec6a9e 
+ns			A	10.53.0.1
ec6a9e 
diff --git a/bin/tests/system/forward/ns10/fakenet.zone b/bin/tests/system/forward/ns10/fakenet.zone
ec6a9e 
new file mode 100644
ec6a9e 
index 0000000000..b655a32459
ec6a9e 
--- /dev/null
ec6a9e 
+++ b/bin/tests/system/forward/ns10/fakenet.zone
ec6a9e 
@@ -0,0 +1,17 @@
ec6a9e 
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
ec6a9e 
+;
ec6a9e 
+; SPDX-License-Identifier: MPL-2.0
ec6a9e 
+;
ec6a9e 
+; This Source Code Form is subject to the terms of the Mozilla Public
ec6a9e 
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
ec6a9e 
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
ec6a9e 
+;
ec6a9e 
+; See the COPYRIGHT file distributed with this work for additional
ec6a9e 
+; information regarding copyright ownership.
ec6a9e 
+
ec6a9e 
+$TTL 86400
ec6a9e 
+net.			SOA	. . 0 0 0 0 0
ec6a9e 
+net.			NS	attackSecureDomain.net.
ec6a9e 
+attackSecureDomain.net.	A	10.53.0.10
ec6a9e 
+didItWork.net.		TXT	"if you can see this record the attack worked"
ec6a9e 
+ns.spoofed.net.		A	10.53.0.10
ec6a9e 
diff --git a/bin/tests/system/forward/ns10/fakenet2.zone b/bin/tests/system/forward/ns10/fakenet2.zone
ec6a9e 
new file mode 100644
ec6a9e 
index 0000000000..cd1e6e9944
ec6a9e 
--- /dev/null
ec6a9e 
+++ b/bin/tests/system/forward/ns10/fakenet2.zone
ec6a9e 
@@ -0,0 +1,15 @@
ec6a9e 
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
ec6a9e 
+;
ec6a9e 
+; SPDX-License-Identifier: MPL-2.0
ec6a9e 
+;
ec6a9e 
+; This Source Code Form is subject to the terms of the Mozilla Public
ec6a9e 
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
ec6a9e 
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
ec6a9e 
+;
ec6a9e 
+; See the COPYRIGHT file distributed with this work for additional
ec6a9e 
+; information regarding copyright ownership.
ec6a9e 
+
ec6a9e 
+$TTL 86400
ec6a9e 
+net2.			SOA	. . 0 0 0 0 0
ec6a9e 
+net2.			NS	attackSecureDomain.net.
ec6a9e 
+net2.			DNAME	net.example.lll.
ec6a9e 
diff --git a/bin/tests/system/forward/ns10/fakesublocalnet.zone b/bin/tests/system/forward/ns10/fakesublocalnet.zone
ec6a9e 
new file mode 100644
ec6a9e 
index 0000000000..160b5332b2
ec6a9e 
--- /dev/null
ec6a9e 
+++ b/bin/tests/system/forward/ns10/fakesublocalnet.zone
ec6a9e 
@@ -0,0 +1,15 @@
ec6a9e 
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
ec6a9e 
+;
ec6a9e 
+; SPDX-License-Identifier: MPL-2.0
ec6a9e 
+;
ec6a9e 
+; This Source Code Form is subject to the terms of the Mozilla Public
ec6a9e 
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
ec6a9e 
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
ec6a9e 
+;
ec6a9e 
+; See the COPYRIGHT file distributed with this work for additional
ec6a9e 
+; information regarding copyright ownership.
ec6a9e 
+
ec6a9e 
+$TTL 86400
ec6a9e 
+sub.local.net.		SOA	. . 0 0 0 0 0
ec6a9e 
+sub.local.net.		NS	ns.spoofed.net.
ec6a9e 
+sub.local.net.		TXT	"if you see this attacker overrode local delegation"
ec6a9e 
diff --git a/bin/tests/system/forward/ns10/fakesublocaltld.zone b/bin/tests/system/forward/ns10/fakesublocaltld.zone
ec6a9e 
new file mode 100644
ec6a9e 
index 0000000000..f78cbc77f6
ec6a9e 
--- /dev/null
ec6a9e 
+++ b/bin/tests/system/forward/ns10/fakesublocaltld.zone
ec6a9e 
@@ -0,0 +1,15 @@
ec6a9e 
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
ec6a9e 
+;
ec6a9e 
+; SPDX-License-Identifier: MPL-2.0
ec6a9e 
+;
ec6a9e 
+; This Source Code Form is subject to the terms of the Mozilla Public
ec6a9e 
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
ec6a9e 
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
ec6a9e 
+;
ec6a9e 
+; See the COPYRIGHT file distributed with this work for additional
ec6a9e 
+; information regarding copyright ownership.
ec6a9e 
+
ec6a9e 
+sub.local.tld.		3600	IN	SOA	. . 0 0 0 0 0
ec6a9e 
+sub.local.tld.		3600	IN	NS	ns.sub.local.tld.
ec6a9e 
+sub.local.tld.		3600	IN	TXT	bad
ec6a9e 
+ns.sub.local.tld.	3600	IN	A	10.53.0.8
ec6a9e 
diff --git a/bin/tests/system/forward/ns10/named.conf.in b/bin/tests/system/forward/ns10/named.conf.in
ec6a9e 
new file mode 100644
ec6a9e 
index 0000000000..1f318dd867
ec6a9e 
--- /dev/null
ec6a9e 
+++ b/bin/tests/system/forward/ns10/named.conf.in
ec6a9e 
@@ -0,0 +1,53 @@
ec6a9e 
+/*
ec6a9e 
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
ec6a9e 
+ *
ec6a9e 
+ * SPDX-License-Identifier: MPL-2.0
ec6a9e 
+ *
ec6a9e 
+ * This Source Code Form is subject to the terms of the Mozilla Public
ec6a9e 
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
ec6a9e 
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
ec6a9e 
+ *
ec6a9e 
+ * See the COPYRIGHT file distributed with this work for additional
ec6a9e 
+ * information regarding copyright ownership.
ec6a9e 
+ */
ec6a9e 
+
ec6a9e 
+options {
ec6a9e 
+	query-source address 10.53.0.10;
ec6a9e 
+	notify-source 10.53.0.10;
ec6a9e 
+	transfer-source 10.53.0.10;
ec6a9e 
+	port @PORT@;
ec6a9e 
+	pid-file "named.pid";
ec6a9e 
+	listen-on { 10.53.0.10; };
ec6a9e 
+	listen-on-v6 { none; };
ec6a9e 
+	minimal-responses no;
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+zone "net." {
ec6a9e 
+	type master;
ec6a9e 
+	file "fakenet.zone";
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+zone "spoofed.net." {
ec6a9e 
+	type master;
ec6a9e 
+	file "spoofednet.zone";
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+zone "sub.local.net." {
ec6a9e 
+	type master;
ec6a9e 
+	file "fakesublocalnet.zone";
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+zone "net2" {
ec6a9e 
+	type master;
ec6a9e 
+	file "fakenet2.zone";
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+zone "net.example.lll" {
ec6a9e 
+	type master;
ec6a9e 
+	file "net.example.lll";
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+zone "sub.local.tld." {
ec6a9e 
+	type master;
ec6a9e 
+	file "fakesublocaltld.zone";
ec6a9e 
+};
ec6a9e 
diff --git a/bin/tests/system/forward/ns10/net.example.lll b/bin/tests/system/forward/ns10/net.example.lll
ec6a9e 
new file mode 100644
ec6a9e 
index 0000000000..ba0804fd75
ec6a9e 
--- /dev/null
ec6a9e 
+++ b/bin/tests/system/forward/ns10/net.example.lll
ec6a9e 
@@ -0,0 +1,15 @@
ec6a9e 
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
ec6a9e 
+;
ec6a9e 
+; SPDX-License-Identifier: MPL-2.0
ec6a9e 
+;
ec6a9e 
+; This Source Code Form is subject to the terms of the Mozilla Public
ec6a9e 
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
ec6a9e 
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
ec6a9e 
+;
ec6a9e 
+; See the COPYRIGHT file distributed with this work for additional
ec6a9e 
+; information regarding copyright ownership.
ec6a9e 
+
ec6a9e 
+$TTL 86400
ec6a9e 
+net.example.lll.		SOA	. . 0 0 0 0 0
ec6a9e 
+net.example.lll.		NS	attackSecureDomain.net.
ec6a9e 
+didItWork.net.example.lll.	TXT	"if you can see this record the attack worked"
ec6a9e 
diff --git a/bin/tests/system/forward/ns10/spoofednet.zone b/bin/tests/system/forward/ns10/spoofednet.zone
ec6a9e 
new file mode 100644
ec6a9e 
index 0000000000..fb70a4372b
ec6a9e 
--- /dev/null
ec6a9e 
+++ b/bin/tests/system/forward/ns10/spoofednet.zone
ec6a9e 
@@ -0,0 +1,16 @@
ec6a9e 
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
ec6a9e 
+;
ec6a9e 
+; SPDX-License-Identifier: MPL-2.0
ec6a9e 
+;
ec6a9e 
+; This Source Code Form is subject to the terms of the Mozilla Public
ec6a9e 
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
ec6a9e 
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
ec6a9e 
+;
ec6a9e 
+; See the COPYRIGHT file distributed with this work for additional
ec6a9e 
+; information regarding copyright ownership.
ec6a9e 
+
ec6a9e 
+$TTL 86400
ec6a9e 
+spoofed.net.		SOA	. . 0 0 0 0 0
ec6a9e 
+spoofed.net.		NS	ns.spoofed.net.
ec6a9e 
+ns.spoofed.net.		A	10.53.0.10
ec6a9e 
+spoofed.net.		TXT	"this record is clearly spoofed"
ec6a9e 
diff --git a/bin/tests/system/forward/ns2/tld.db b/bin/tests/system/forward/ns2/tld.db
ec6a9e 
index 61b6569b07..819210dc05 100644
ec6a9e 
--- a/bin/tests/system/forward/ns2/tld.db
ec6a9e 
+++ b/bin/tests/system/forward/ns2/tld.db
ec6a9e 
@@ -10,3 +10,9 @@ $TTL 300	; 5 minutes
ec6a9e 
 ns			A	10.53.0.2
ec6a9e 
 sld			NS	ns.sld
ec6a9e 
 ns.sld			A	10.53.0.1
ec6a9e 
+local			NS	ns.local
ec6a9e 
+ns.local		A	10.53.0.9
ec6a9e 
+sibling			NS	ns.sibling
ec6a9e 
+ns.sibling		A	10.53.0.4
ec6a9e 
+sibling			NS	ns.sub.local
ec6a9e 
+ns.sub.local		A	10.53.0.10
ec6a9e 
diff --git a/bin/tests/system/forward/ns4/named.conf.in b/bin/tests/system/forward/ns4/named.conf.in
ec6a9e 
index 855b4bfb82..85349aa97e 100644
ec6a9e 
--- a/bin/tests/system/forward/ns4/named.conf.in
ec6a9e 
+++ b/bin/tests/system/forward/ns4/named.conf.in
ec6a9e 
@@ -60,3 +60,8 @@ zone "malicious." {
ec6a9e 
 	type primary;
ec6a9e 
 	file "malicious.db";
ec6a9e 
 };
ec6a9e 
+
ec6a9e 
+zone "sibling.tld" {
ec6a9e 
+	type primary;
ec6a9e 
+	file "sibling.tld.db";
ec6a9e 
+};
ec6a9e 
diff --git a/bin/tests/system/forward/ns4/sibling.tld.db b/bin/tests/system/forward/ns4/sibling.tld.db
ec6a9e 
new file mode 100644
ec6a9e 
index 0000000000..fe080ae974
ec6a9e 
--- /dev/null
ec6a9e 
+++ b/bin/tests/system/forward/ns4/sibling.tld.db
ec6a9e 
@@ -0,0 +1,22 @@
ec6a9e 
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
ec6a9e 
+;
ec6a9e 
+; SPDX-License-Identifier: MPL-2.0
ec6a9e 
+;
ec6a9e 
+; This Source Code Form is subject to the terms of the Mozilla Public
ec6a9e 
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
ec6a9e 
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
ec6a9e 
+;
ec6a9e 
+; See the COPYRIGHT file distributed with this work for additional
ec6a9e 
+; information regarding copyright ownership.
ec6a9e 
+
ec6a9e 
+$TTL    86400
ec6a9e 
+@       IN      SOA     malicious. admin.malicious. (
ec6a9e 
+                              1         ; Serial
ec6a9e 
+                         604800         ; Refresh
ec6a9e 
+                          86400         ; Retry
ec6a9e 
+                        2419200         ; Expire
ec6a9e 
+                          86400 )       ; Negative Cache TTL
ec6a9e 
+
ec6a9e 
+@           IN    NS      ns
ec6a9e 
+
ec6a9e 
+ns          IN    A       10.53.0.4
ec6a9e 
diff --git a/bin/tests/system/forward/ns8/named.conf.in b/bin/tests/system/forward/ns8/named.conf.in
ec6a9e 
index 531ff59ece..f752eae885 100644
ec6a9e 
--- a/bin/tests/system/forward/ns8/named.conf.in
ec6a9e 
+++ b/bin/tests/system/forward/ns8/named.conf.in
ec6a9e 
@@ -26,3 +26,8 @@ zone "." {
ec6a9e 
 	type hint;
ec6a9e 
 	file "root.db";
ec6a9e 
 };
ec6a9e 
+
ec6a9e 
+zone "sub.local.tld" {
ec6a9e 
+	type primary;
ec6a9e 
+	file "sub.local.tld.db";
ec6a9e 
+};
ec6a9e 
diff --git a/bin/tests/system/forward/ns8/sub.local.tld.db b/bin/tests/system/forward/ns8/sub.local.tld.db
ec6a9e 
new file mode 100644
ec6a9e 
index 0000000000..f2234c754e
ec6a9e 
--- /dev/null
ec6a9e 
+++ b/bin/tests/system/forward/ns8/sub.local.tld.db
ec6a9e 
@@ -0,0 +1,15 @@
ec6a9e 
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
ec6a9e 
+;
ec6a9e 
+; SPDX-License-Identifier: MPL-2.0
ec6a9e 
+;
ec6a9e 
+; This Source Code Form is subject to the terms of the Mozilla Public
ec6a9e 
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
ec6a9e 
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
ec6a9e 
+;
ec6a9e 
+; See the COPYRIGHT file distributed with this work for additional
ec6a9e 
+; information regarding copyright ownership.
ec6a9e 
+
ec6a9e 
+sub.local.tld.		3600	IN	SOA	. . 0 0 0 0 0
ec6a9e 
+sub.local.tld.		3600	IN	NS	ns.sub.local.tld.
ec6a9e 
+sub.local.tld.		3600	IN	TXT	good
ec6a9e 
+ns.sub.local.tld.	3600	IN	A	10.53.0.8
ec6a9e 
diff --git a/bin/tests/system/forward/ns9/local.net.db b/bin/tests/system/forward/ns9/local.net.db
ec6a9e 
new file mode 100644
ec6a9e 
index 0000000000..af0d2a5a67
ec6a9e 
--- /dev/null
ec6a9e 
+++ b/bin/tests/system/forward/ns9/local.net.db
ec6a9e 
@@ -0,0 +1,16 @@
ec6a9e 
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
ec6a9e 
+;
ec6a9e 
+; SPDX-License-Identifier: MPL-2.0
ec6a9e 
+;
ec6a9e 
+; This Source Code Form is subject to the terms of the Mozilla Public
ec6a9e 
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
ec6a9e 
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
ec6a9e 
+;
ec6a9e 
+; See the COPYRIGHT file distributed with this work for additional
ec6a9e 
+; information regarding copyright ownership.
ec6a9e 
+
ec6a9e 
+local.net.		3600	IN	SOA	. . 0 0 0 0 0
ec6a9e 
+local.net.		3600	IN	NS	localhost.
ec6a9e 
+ns.local.net.		3600	IN	A	10.53.0.9
ec6a9e 
+txt.local.net.		3600	IN	TXT	"something in the local auth zone"
ec6a9e 
+sub.local.net.		3600	IN	NS	ns.spoofed.net.  ; attacker will try to override this
ec6a9e 
diff --git a/bin/tests/system/forward/ns9/local.tld.db b/bin/tests/system/forward/ns9/local.tld.db
ec6a9e 
new file mode 100644
ec6a9e 
index 0000000000..876a9139da
ec6a9e 
--- /dev/null
ec6a9e 
+++ b/bin/tests/system/forward/ns9/local.tld.db
ec6a9e 
@@ -0,0 +1,15 @@
ec6a9e 
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
ec6a9e 
+;
ec6a9e 
+; SPDX-License-Identifier: MPL-2.0
ec6a9e 
+;
ec6a9e 
+; This Source Code Form is subject to the terms of the Mozilla Public
ec6a9e 
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
ec6a9e 
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
ec6a9e 
+;
ec6a9e 
+; See the COPYRIGHT file distributed with this work for additional
ec6a9e 
+; information regarding copyright ownership.
ec6a9e 
+
ec6a9e 
+local.tld.		3600	IN	SOA	. . 0 0 0 0 0
ec6a9e 
+local.tld.		3600	IN	NS	localhost.
ec6a9e 
+sub.local.tld.		3600	IN	NS	ns.sub.local.tld.
ec6a9e 
+ns.sub.local.tld.	3600	IN	A	10.53.0.8
ec6a9e 
diff --git a/bin/tests/system/forward/ns9/named1.conf.in b/bin/tests/system/forward/ns9/named1.conf.in
ec6a9e 
new file mode 100644
ec6a9e 
index 0000000000..be9a43842f
ec6a9e 
--- /dev/null
ec6a9e 
+++ b/bin/tests/system/forward/ns9/named1.conf.in
ec6a9e 
@@ -0,0 +1,67 @@
ec6a9e 
+/*
ec6a9e 
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
ec6a9e 
+ *
ec6a9e 
+ * SPDX-License-Identifier: MPL-2.0
ec6a9e 
+ *
ec6a9e 
+ * This Source Code Form is subject to the terms of the Mozilla Public
ec6a9e 
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
ec6a9e 
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
ec6a9e 
+ *
ec6a9e 
+ * See the COPYRIGHT file distributed with this work for additional
ec6a9e 
+ * information regarding copyright ownership.
ec6a9e 
+ */
ec6a9e 
+
ec6a9e 
+options {
ec6a9e 
+	query-source address 10.53.0.9;
ec6a9e 
+	notify-source 10.53.0.9;
ec6a9e 
+	transfer-source 10.53.0.9;
ec6a9e 
+	port @PORT@;
ec6a9e 
+	pid-file "named.pid";
ec6a9e 
+	listen-on { 10.53.0.9; };
ec6a9e 
+	listen-on-v6 { none; };
ec6a9e 
+	dnssec-validation no;
ec6a9e 
+	edns-udp-size 1232;
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+key rndc_key {
ec6a9e 
+	secret "1234abcd8765";
ec6a9e 
+	algorithm hmac-sha256;
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+controls {
ec6a9e 
+	inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+server 10.53.0.10 {
ec6a9e 
+	edns no;
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+server 10.53.0.11 {
ec6a9e 
+	edns no;
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+zone "." {
ec6a9e 
+	type hint;
ec6a9e 
+	file "root.db";
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+zone "attacksecuredomain.net." {
ec6a9e 
+	type forward;
ec6a9e 
+	forwarders { 10.53.0.10; };
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+zone "attacksecuredomain.net2." {
ec6a9e 
+	type forward;
ec6a9e 
+	forwarders { 10.53.0.10; };
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+zone "attacksecuredomain.net3." {
ec6a9e 
+	type forward;
ec6a9e 
+	forwarders { 10.53.0.11; };
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+zone "local.net." {
ec6a9e 
+	type primary;
ec6a9e 
+	file "local.net.db";
ec6a9e 
+	forwarders {};
ec6a9e 
+};
ec6a9e 
diff --git a/bin/tests/system/forward/ns9/named2.conf.in b/bin/tests/system/forward/ns9/named2.conf.in
ec6a9e 
new file mode 100644
ec6a9e 
index 0000000000..2c40b42a0c
ec6a9e 
--- /dev/null
ec6a9e 
+++ b/bin/tests/system/forward/ns9/named2.conf.in
ec6a9e 
@@ -0,0 +1,70 @@
ec6a9e 
+/*
ec6a9e 
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
ec6a9e 
+ *
ec6a9e 
+ * SPDX-License-Identifier: MPL-2.0
ec6a9e 
+ *
ec6a9e 
+ * This Source Code Form is subject to the terms of the Mozilla Public
ec6a9e 
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
ec6a9e 
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
ec6a9e 
+ *
ec6a9e 
+ * See the COPYRIGHT file distributed with this work for additional
ec6a9e 
+ * information regarding copyright ownership.
ec6a9e 
+ */
ec6a9e 
+
ec6a9e 
+options {
ec6a9e 
+	query-source address 10.53.0.9;
ec6a9e 
+	notify-source 10.53.0.9;
ec6a9e 
+	transfer-source 10.53.0.9;
ec6a9e 
+	port @PORT@;
ec6a9e 
+	pid-file "named.pid";
ec6a9e 
+	listen-on { 10.53.0.9; };
ec6a9e 
+	listen-on-v6 { none; };
ec6a9e 
+	dnssec-validation no;
ec6a9e 
+	edns-udp-size 1232;
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+key rndc_key {
ec6a9e 
+	secret "1234abcd8765";
ec6a9e 
+	algorithm hmac-sha256;
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+controls {
ec6a9e 
+	inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+server 10.53.0.10 {
ec6a9e 
+	edns no;
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+server 10.53.0.11 {
ec6a9e 
+	edns no;
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+zone "." {
ec6a9e 
+	type hint;
ec6a9e 
+	file "root.db";
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+zone "attacksecuredomain.net." {
ec6a9e 
+	type forward;
ec6a9e 
+	forward only;
ec6a9e 
+	forwarders { 10.53.0.10; };
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+zone "attacksecuredomain.net2." {
ec6a9e 
+	type forward;
ec6a9e 
+	forward only;
ec6a9e 
+	forwarders { 10.53.0.10; };
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+zone "attacksecuredomain.net3." {
ec6a9e 
+	type forward;
ec6a9e 
+	forward only;
ec6a9e 
+	forwarders { 10.53.0.11; };
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+zone "local.net." {
ec6a9e 
+	type primary;
ec6a9e 
+	file "local.net.db";
ec6a9e 
+	forwarders {};
ec6a9e 
+};
ec6a9e 
diff --git a/bin/tests/system/forward/ns9/named3.conf.in b/bin/tests/system/forward/ns9/named3.conf.in
ec6a9e 
new file mode 100644
ec6a9e 
index 0000000000..576f57c10b
ec6a9e 
--- /dev/null
ec6a9e 
+++ b/bin/tests/system/forward/ns9/named3.conf.in
ec6a9e 
@@ -0,0 +1,50 @@
ec6a9e 
+/*
ec6a9e 
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
ec6a9e 
+ *
ec6a9e 
+ * SPDX-License-Identifier: MPL-2.0
ec6a9e 
+ *
ec6a9e 
+ * This Source Code Form is subject to the terms of the Mozilla Public
ec6a9e 
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
ec6a9e 
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
ec6a9e 
+ *
ec6a9e 
+ * See the COPYRIGHT file distributed with this work for additional
ec6a9e 
+ * information regarding copyright ownership.
ec6a9e 
+ */
ec6a9e 
+
ec6a9e 
+options {
ec6a9e 
+	query-source address 10.53.0.9;
ec6a9e 
+	notify-source 10.53.0.9;
ec6a9e 
+	transfer-source 10.53.0.9;
ec6a9e 
+	port @PORT@;
ec6a9e 
+	pid-file "named.pid";
ec6a9e 
+	listen-on { 10.53.0.9; };
ec6a9e 
+	listen-on-v6 { none; };
ec6a9e 
+	dnssec-validation no;
ec6a9e 
+	edns-udp-size 1232;
ec6a9e 
+	forward only;
ec6a9e 
+	forwarders { 10.53.0.10; };
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+key rndc_key {
ec6a9e 
+	secret "1234abcd8765";
ec6a9e 
+	algorithm hmac-sha256;
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+controls {
ec6a9e 
+	inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+server 10.53.0.10 {
ec6a9e 
+	edns no;
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+zone "." {
ec6a9e 
+	type hint;
ec6a9e 
+	file "root.db";
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+zone "local.net." {
ec6a9e 
+	type primary;
ec6a9e 
+	file "local.net.db";
ec6a9e 
+	forwarders {};
ec6a9e 
+};
ec6a9e 
diff --git a/bin/tests/system/forward/ns9/named4.conf.in b/bin/tests/system/forward/ns9/named4.conf.in
ec6a9e 
new file mode 100644
ec6a9e 
index 0000000000..5cd7d84109
ec6a9e 
--- /dev/null
ec6a9e 
+++ b/bin/tests/system/forward/ns9/named4.conf.in
ec6a9e 
@@ -0,0 +1,47 @@
ec6a9e 
+/*
ec6a9e 
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
ec6a9e 
+ *
ec6a9e 
+ * SPDX-License-Identifier: MPL-2.0
ec6a9e 
+ *
ec6a9e 
+ * This Source Code Form is subject to the terms of the Mozilla Public
ec6a9e 
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
ec6a9e 
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
ec6a9e 
+ *
ec6a9e 
+ * See the COPYRIGHT file distributed with this work for additional
ec6a9e 
+ * information regarding copyright ownership.
ec6a9e 
+ */
ec6a9e 
+
ec6a9e 
+options {
ec6a9e 
+	query-source address 10.53.0.9;
ec6a9e 
+	notify-source 10.53.0.9;
ec6a9e 
+	transfer-source 10.53.0.9;
ec6a9e 
+	port @PORT@;
ec6a9e 
+	pid-file "named.pid";
ec6a9e 
+	listen-on { 10.53.0.9; };
ec6a9e 
+	listen-on-v6 { none; };
ec6a9e 
+	dnssec-validation no;
ec6a9e 
+	edns-udp-size 1232;
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+key rndc_key {
ec6a9e 
+	secret "1234abcd8765";
ec6a9e 
+	algorithm hmac-sha256;
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+controls {
ec6a9e 
+	inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+server 10.53.0.10 {
ec6a9e 
+	edns no;
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+zone "." {
ec6a9e 
+	type hint;
ec6a9e 
+	file "root.db";
ec6a9e 
+};
ec6a9e 
+
ec6a9e 
+zone "local.tld." {
ec6a9e 
+	type primary;
ec6a9e 
+	file "local.tld.db";
ec6a9e 
+};
ec6a9e 
diff --git a/bin/tests/system/forward/ns9/root.db b/bin/tests/system/forward/ns9/root.db
ec6a9e 
new file mode 100644
ec6a9e 
index 0000000000..2cbdff5977
ec6a9e 
--- /dev/null
ec6a9e 
+++ b/bin/tests/system/forward/ns9/root.db
ec6a9e 
@@ -0,0 +1,13 @@
ec6a9e 
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
ec6a9e 
+;
ec6a9e 
+; SPDX-License-Identifier: MPL-2.0
ec6a9e 
+;
ec6a9e 
+; This Source Code Form is subject to the terms of the Mozilla Public
ec6a9e 
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
ec6a9e 
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
ec6a9e 
+;
ec6a9e 
+; See the COPYRIGHT file distributed with this work for additional
ec6a9e 
+; information regarding copyright ownership.
ec6a9e 
+
ec6a9e 
+.			NS	a.root-servers.nil.
ec6a9e 
+a.root-servers.nil.	A	10.53.0.1
ec6a9e 
diff --git a/bin/tests/system/forward/setup.sh b/bin/tests/system/forward/setup.sh
ec6a9e 
index 21cf67b782..a56dd3c03f 100644
ec6a9e 
--- a/bin/tests/system/forward/setup.sh
ec6a9e 
+++ b/bin/tests/system/forward/setup.sh
ec6a9e 
@@ -19,6 +19,8 @@ copy_setports ns4/named.conf.in ns4/named.conf
ec6a9e 
 copy_setports ns5/named.conf.in ns5/named.conf
ec6a9e 
 copy_setports ns7/named.conf.in ns7/named.conf
ec6a9e 
 copy_setports ns8/named.conf.in ns8/named.conf
ec6a9e 
+copy_setports ns9/named1.conf.in ns9/named.conf
ec6a9e 
+copy_setports ns10/named.conf.in ns10/named.conf
ec6a9e
ec6a9e 
 (
ec6a9e 
     cd ns1
ec6a9e 
diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh
ec6a9e 
index 6096b06ca7..dfbaf887f7 100644
ec6a9e 
--- a/bin/tests/system/forward/tests.sh
ec6a9e 
+++ b/bin/tests/system/forward/tests.sh
ec6a9e 
@@ -253,5 +253,127 @@ grep "status: SERVFAIL" dig.out.$n.f1 > /dev/null || ret=1
ec6a9e 
 if [ $ret != 0 ]; then echo_i "failed"; fi
ec6a9e 
 status=$((status+ret))
ec6a9e
ec6a9e 
+#
ec6a9e 
+# Check various spoofed response scenarios. The same tests will be
ec6a9e 
+# run twice, with "forward first" and "forward only" configurations.
ec6a9e 
+#
ec6a9e 
+run_spooftests () {
ec6a9e 
+    n=$((n+1))
ec6a9e 
+    echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)"
ec6a9e 
+    ret=0
ec6a9e 
+    # prime
ec6a9e 
+    dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1
ec6a9e 
+    # check 'net' is not poisoned.
ec6a9e 
+    dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1
ec6a9e 
+    grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net > /dev/null || ret=1
ec6a9e 
+    # check 'sub.local.net' is not poisoned.
ec6a9e 
+    dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1
ec6a9e 
+    grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub > /dev/null || ret=1
ec6a9e 
+    if [ $ret != 0 ]; then echo_i "failed"; fi
ec6a9e 
+    status=$((status+ret))
ec6a9e 
+
ec6a9e 
+    n=$((n+1))
ec6a9e 
+    echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)"
ec6a9e 
+    ret=0
ec6a9e 
+    # prime
ec6a9e 
+    dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1
ec6a9e 
+    # check that net2/DNAME is not cached
ec6a9e 
+    dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1
ec6a9e 
+    grep "ANSWER: 0," dig.out.$n.net2 > /dev/null || ret=1
ec6a9e 
+    grep "status: NXDOMAIN" dig.out.$n.net2 > /dev/null || ret=1
ec6a9e 
+    if [ $ret != 0 ]; then echo_i "failed"; fi
ec6a9e 
+    status=$((status+ret))
ec6a9e 
+
ec6a9e 
+    n=$((n+1))
ec6a9e 
+    echo_i "checking spoofed response scenario 3 - extra answer ($n)"
ec6a9e 
+    ret=0
ec6a9e 
+    # prime
ec6a9e 
+    dig_with_opts @10.53.0.9 attackSecureDomain.net3 > dig.out.$n.prime || ret=1
ec6a9e 
+    # check extra net3 records are not cached
ec6a9e 
+    rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i
ec6a9e 
+    for try in 1 2 3 4 5; do
ec6a9e 
+        lines=$(grep "net3" ns9/named_dump.db | wc -l)
ec6a9e 
+        if [ ${lines} -eq 0 ]; then
ec6a9e 
+                sleep 1
ec6a9e 
+                continue
ec6a9e 
+        fi
ec6a9e 
+        [ ${lines} -eq 1 ] || ret=1
ec6a9e 
+        grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1
ec6a9e 
+        grep -q '^local.net3' ns9/named_dump.db && ret=1
ec6a9e 
+    done
ec6a9e 
+    if [ $ret != 0 ]; then echo_i "failed"; fi
ec6a9e 
+    status=$((status+ret))
ec6a9e 
+}
ec6a9e 
+
ec6a9e 
+echo_i "checking spoofed response scenarios with forward first zones"
ec6a9e 
+run_spooftests
ec6a9e 
+
ec6a9e 
+copy_setports ns9/named2.conf.in ns9/named.conf
ec6a9e 
+rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
ec6a9e 
+rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i
ec6a9e 
+sleep 1
ec6a9e 
+
ec6a9e 
+echo_i "rechecking spoofed response scenarios with forward only zones"
ec6a9e 
+run_spooftests
ec6a9e 
+
ec6a9e 
+#
ec6a9e 
+# This scenario expects the spoofed response to succeed. The tests are
ec6a9e 
+# similar to the ones above, but not identical.
ec6a9e 
+#
ec6a9e 
+echo_i "rechecking spoofed response scenarios with 'forward only' set globally"
ec6a9e 
+copy_setports ns9/named3.conf.in ns9/named.conf
ec6a9e 
+rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
ec6a9e 
+rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i
ec6a9e 
+sleep 1
ec6a9e 
+
ec6a9e 
+n=$((n+1))
ec6a9e 
+echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)"
ec6a9e 
+ret=0
ec6a9e 
+# prime
ec6a9e 
+dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1
ec6a9e 
+# check 'net' is poisoned.
ec6a9e 
+dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1
ec6a9e 
+grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net > /dev/null || ret=1
ec6a9e 
+# check 'sub.local.net' is poisoned.
ec6a9e 
+dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1
ec6a9e 
+grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub > /dev/null || ret=1
ec6a9e 
+if [ $ret != 0 ]; then echo_i "failed"; fi
ec6a9e 
+status=$((status+ret))
ec6a9e 
+
ec6a9e 
+n=$((n+1))
ec6a9e 
+echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)"
ec6a9e 
+ret=0
ec6a9e 
+# prime
ec6a9e 
+dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1
ec6a9e 
+# check that net2/DNAME is cached
ec6a9e 
+dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1
ec6a9e 
+grep "ANSWER: 1," dig.out.$n.net2 > /dev/null || ret=1
ec6a9e 
+grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 > /dev/null || ret=1
ec6a9e 
+if [ $ret != 0 ]; then echo_i "failed"; fi
ec6a9e 
+status=$((status+ret))
ec6a9e 
+
ec6a9e 
+#
ec6a9e 
+# This test doesn't use any forwarder clauses but is here because it
ec6a9e 
+# is similar to forwarders, as the set of servers that can populate
ec6a9e 
+# the namespace is defined by the zone content.
ec6a9e 
+#
ec6a9e 
+echo_i "rechecking spoofed response scenarios glue below local zone"
ec6a9e 
+copy_setports ns9/named4.conf.in ns9/named.conf
ec6a9e 
+rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
ec6a9e 
+rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i
ec6a9e 
+sleep 1
ec6a9e 
+
ec6a9e 
+n=$((n+1))
ec6a9e 
+echo_i "checking sibling glue below zone ($n)"
ec6a9e 
+ret=0
ec6a9e 
+# prime
ec6a9e 
+dig_with_opts @10.53.0.9 sibling.tld > dig.out.$n.prime || ret=1
ec6a9e 
+# check for glue A record for sub.local.tld is not used
ec6a9e 
+dig_with_opts @10.53.0.9 sub.local.tld TXT > dig.out.$n.sub || ret=1
ec6a9e 
+grep "ANSWER: 1," dig.out.$n.sub > /dev/null || ret=1
ec6a9e 
+grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub > /dev/null || ret=1
ec6a9e 
+if [ $ret != 0 ]; then echo_i "failed"; fi
ec6a9e 
+status=$((status+ret))
ec6a9e 
+
ec6a9e 
 echo_i "exit status: $status"
ec6a9e 
 [ $status -eq 0 ] || exit 1
ec6a9e 
diff --git a/bin/tests/system/ifconfig.sh b/bin/tests/system/ifconfig.sh
ec6a9e 
index e078f3313b..2a4d955caf 100755
ec6a9e 
--- a/bin/tests/system/ifconfig.sh
ec6a9e 
+++ b/bin/tests/system/ifconfig.sh
ec6a9e 
@@ -12,10 +12,10 @@
ec6a9e 
 #
ec6a9e 
 # Set up interface aliases for bind9 system tests.
ec6a9e 
 #
ec6a9e 
-# IPv4: 10.53.0.{1..10}				RFC 1918
ec6a9e 
+# IPv4: 10.53.0.{1..11}				RFC 1918
ec6a9e 
 #       10.53.1.{1..2}
ec6a9e 
 #       10.53.2.{1..2}
ec6a9e 
-# IPv6: fd92:7065:b8e:ffff::{1..10}		ULA
ec6a9e 
+# IPv6: fd92:7065:b8e:ffff::{1..11}		ULA
ec6a9e 
 #       fd92:7065:b8e:99ff::{1..2}
ec6a9e 
 #       fd92:7065:b8e:ff::{1..2}
ec6a9e 
 #
ec6a9e 
@@ -55,7 +55,7 @@ case "$1" in
ec6a9e 
 		  2) ipv6="00" ;;
ec6a9e 
 		  *) ipv6="" ;;
ec6a9e 
 		esac
ec6a9e 
-		for ns in 1 2 3 4 5 6 7 8 9 10
ec6a9e 
+		for ns in 1 2 3 4 5 6 7 8 9 10 11
ec6a9e 
 		do
ec6a9e 
 			[ $i -gt 0 -a $ns -gt 2 ] && break
ec6a9e 
 			int=`expr $i \* 10 + $ns`
ec6a9e 
@@ -160,7 +160,7 @@ case "$1" in
ec6a9e 
 		  2) ipv6="00" ;;
ec6a9e 
 		  *) ipv6="" ;;
ec6a9e 
 		esac
ec6a9e 
-		for ns in 10 9 8 7 6 5 4 3 2 1
ec6a9e 
+		for ns in 11 10 9 8 7 6 5 4 3 2 1
ec6a9e 
 		do
ec6a9e 
 			[ $i -gt 0 -a $ns -gt 2 ] && continue
ec6a9e 
 			int=`expr $i \* 10 + $ns - 1`
ec6a9e 
--
ec6a9e 
2.34.1
ec6a9e

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation